Netfilter developers distribute a set of patches that they package
so that it can be used by their `patch-o-matic-ng' (or `p-o-m') system.
p-o-m is a script that guides you through the process of choosing/selecting
the patches you want to apply, and automatically patch the kernel for you.

First, you should get the latest SVN tree, to be sure that you are using the
latest extensions. To do so, perform :

Make sure your kernel source is ready in `/usr/src/linux/'.
If for whatever reason the kernel you want to patch is not
in `/usr/src/linux/' then you can make the variable KERNEL_DIR
point to the patch where your kernel is :

# export KERNEL_DIR=/the/path/linux

Make sure the dependencies are made already. If unsure :

# cd /usr/src/linux/
# make dep

Then you can go back to the netfilter directory, in the `patch-o-matic/' directory.
You can now invoke p-o-m.

# ./runme extra
Welcome to Patch-o-matic ($Revision: 3822 $)!
Kernel:
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied: nf-log
Testing... not applied
The HOPLIMIT patch:
Author: Maciej Soltysiak <solt@dns.toxicfilms.tv>
Status: Works for me.
This allows the user to set the IPv6 Hop Limit value on a packet or
to increment or decrement it by a given value.
Example:
# ip6tables -t mangle -A OUTPUT -j HOPLIMIT --hl-inc 1
# ip6tables -t mangle -A INPUT -j HOPLIMIT --hl-eq 64
# ip6tables -t mangle -A OUTPUT -j HOPLIMIT --hl-dec 2
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]

p-o-m will go through most of the patches. If they are already applied,
you will see so on the `Already applied:' line. Otherwise it will prompt you
to decide whether or not to patch it.

Simply press enter if you do not want to apply it.

Type `t' to test that the patch will apply cleanly.

Type `y' to apply patch.

Type `n' to skip this patch.

Type `f' to apply patch even if test fails.

Type `a' to restart patch-o-matic in apply mode.

Type `r' to restart patch-o-matic in REVERSE mode.

Type `b' to walk back one patch in the list.

Type `w' to walk forward one patch in the list.

Finally, type `q' to quit immediately.

A rule of thumb is to read carefully the little explanation text of each patch
before actually applying it. As there are currently a LOT of official patches for patch-o-matic
(and probably more unofficial ones), it is not recommended to apply them all !
You should really consider applying only the ones you need, even if it means recompiling
netfilter when you need more patches later on.

Patch-o-matic's `runme' is a nice Perl script. It optionally takes some command line arguments:

Each patch has its own directory within the main directory `patch-o-matic-ng'.
Each patch is attached to a suite of patches. The three existing suites (as of the date
of update of this HOWTO) are:

pending

base

extra

You can instruct p-o-m to show you only patches attached to a particular suite:

./runme --batch pending

This command will show you and propose you to apply all the patches from pending suite.
When you instruct `./runme' to apply patches from the `extra' patch repository it will first
present you with the patches from the `pending', and `base' repositories.

Once you have applied all the patches you wished to apply, the next step is recompile
your kernel and install it. This HOWTO will not explain how to do this. Instead, you
can read the
Linux Kernel HOWTO.

While configuring your kernel, you will see new options in
``Networking Options -> Netfilter Configuration''. Choose the options
you need, recompile & install your new kernel.

Once your new kernel is installed, you can go ahead and compile and install the ``iptables''
package, from the `iptables/' directory as follows :

# make && make install

That's it ! Your new shiny iptables package is installed ! Now it's time
to use these brand new functionalities.